P
US9069967B2ActiveUtilityPatentIndex 89

Assessment and analysis of software security flaws

Assignee: WYSOPAL CHRISTOPHER JPriority: Feb 16, 2007Filed: Sep 17, 2010Granted: Jun 30, 2015
Est. expiryFeb 16, 2027(~0.6 yrs left)· nominal 20-yr term from priority
Inventors:WYSOPAL CHRISTOPHER JENG CHRISTOPHER JMOYNAHAN MATTHEW P
G06F 11/3612G06F 21/577G06F 2221/033
89
PatentIndex Score
22
Cited by
33
References
19
Claims

Abstract

Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method for providing access to security data related to a software application, the method comprising:
 creating a programmatic association between the software application and results of one or more security analysis tests performed against the software application wherein the results comprise references to flaws identified in source code of the software application; 
 storing the results for subsequent electronic access on a data storage server comprising a security-threat database; 
 providing access to the software application and instructions to access limited portions of the results stored in a central database using a unique key associated with an owner of the software application and the software application such that the results, including the source code, may be reviewed on demand by a user authenticated to use the unique key. 
 
     
     
       2. The method of  claim 1  wherein the software application comprises executable object code distributed over a network. 
     
     
       3. The method of  claim 2  wherein the results are distributed with the executable object code. 
     
     
       4. The method of  claim 3  wherein the software application comprises an application package and the results are included in the application package. 
     
     
       5. The method of  claim 1  wherein the software application comprises a web-based service accessible over a network. 
     
     
       6. The method of  claim 1  wherein the software application comprises a collection of unrelated computing functions available over the Internet. 
     
     
       7. The method of  claim 1  further comprising displaying the limited portion of the results to the user in response to a query submitted to the database. 
     
     
       8. The method of  claim 1  further comprising transmitting the limited portion of the results to the user in response to a query submitted to the database. 
     
     
       9. The method of  claim 8  further comprising encrypting portions of the results prior to transmission. 
     
     
       10. The method of  claim 1  further comprising:
 (i) computing a hash of at least a portion of the software application; 
 (ii) including the hash with a report comprising the results; and 
 (iii) receiving a request from the user to view the results, the request including the hash such that the hash is used to identify and access the results. 
 
     
     
       11. The method of  claim 1  wherein the instructions to access a report comprising the results comprise a URL directing the user to the report. 
     
     
       12. The method of  claim 1  wherein a report comprising the results comprises an XML document, the XML document further comprising predefined tags. 
     
     
       13. A system for providing access to security data related to a plurality of software applications, the system comprising:
 at least one testing engine for performing a plurality of vulnerability tests on the software applications and associating results of the tests with the respective software application wherein the results comprise references to source code of the software application; 
 a database for storing the results; and 
 a communications server for receiving a request from a user of one of the software applications, the request including a unique key associated with an owner of the software application and the user, to access the results associated with the software application, and, based on the received request, provide the results, including the source code, associated with the software application to the user authenticated to use the unique key. 
 
     
     
       14. The system of  claim 13  wherein the communications server further displays the results to the users. 
     
     
       15. The system of  claim 13  wherein the software application comprises executable object code distributed over a network. 
     
     
       16. The system of  claim 13  wherein the software application comprises an application package and the results are included in the application package. 
     
     
       17. The system of  claim 13  wherein the software application comprises a web-based service accessible over a network. 
     
     
       18. The system of  claim 13  wherein the software application comprises a collection of unrelated computing functions available over the Internet. 
     
     
       19. The system of  claim 13  wherein the testing engine is further configured to compute a hash of at least a portion of the software application, and the communications server is further configured to include the hash with a report comprising the results and wherein the request includes the hash such that the hash is used to identify and access the results.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.